'Smart cameras turned into surveillance tools'

There are several attacks threat actors could commit by exploiting these vulnerabilities.

Researchers from Kaspersky Lab have uncovered a slew of security vulnerabilities in popular smart cameras that could enable attackers to obtain remote access to video and audio feeds from the cameras.

In addition, they could remotely disable these devices, execute arbitrary malicious code on them as well as commit other acts of malfeasance.

Today's smart cameras feature an number of functions, and are often used as baby monitors, or for internal home and office security surveillance. Kaspersky Lab poses the question: "But, are these cameras secure enough by design and what if such a smart camera started watching you, instead of watching your home?"

Analysis conducted in the past by a variety of security researchers has revealed that smart cameras in general tend to contain security vulnerabilities varying in severity.

This recent research, however, has uncovered something astonishing. Not just one, but an entire range of smart cameras was found to be vulnerable to a number of severe remote attacks, due to an insecurely designed cloud-backbone system that was initially created to enable the owners of these cameras to remotely access video from their devices.

Kaspersky says there are several attacks threat actors could commit by exploiting these vulnerabilities, including accessing video and audio feeds from any camera connected to the vulnerable cloud service, and remotely gaining root access to a camera to use as an entry-point for further attacks on other devices on both local and external networks.

In addition, threat actors could remotely upload and execute arbitrary malicious code on the cameras, steal personal information such as users' social network accounts and information which is used to send users notifications, as well as remotely "brick" vulnerable cameras.

How it works

According to Kaspersky, these attacks were made possible because the way the cameras interacted with the cloud service was insecure and open to relatively easy interference. Moreover, the architecture of the cloud service itself was vulnerable to external interference.

"It is important to note that such attacks were only possible if attackers knew the serial number of the camera," the researchers add. "However, the way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system didn't have brute force protection."

During the course of their research, the researchers identified nearly 2 000 vulnerable cameras working online, but these were only devices that had their own IP address, and were directly available through the Internet. "The real number of vulnerable devices placed behind routers and firewalls could actually be several times higher," the company explains.

False assumptions

Vladimir Dashchenko, head of vulnerabilities research group at Kaspersky Lab ICS CERT, says customers and vendors alike make the false assumption that placing an Internet of things (IOT) device inside your network, and separating it with the help of a router, will take care of most security problems.

Although access to the router is usually needed in order to exploit security issues in devices inside of a targeted network, this isn't always the case, he explains. "Our research shows that this may not actually be the case at all, given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable."

"The interesting thing is that besides the previously described attack vectors such as malware infections and botnets, we found that the cameras could also be used for mining. While mining is becoming one of the main security threats facing businesses, IOT mining is an emerging trend due to the growing prevalence of IOT devices, and will continue to increase," he adds.

Quick fix

Following the discovery of the vulnerabilities, the security giant contacted Hanwha Techwin, the manufacturer of the affected cameras, to report them. Some vulnerabilities have since been fixed, while the remaining vulnerabilities will be fixed soon, the manufacturer says.

Hanwha Techwin says: "The security of our customers is the highest priority for us. We have already fixed the camera's vulnerabilities, including the remote upload and execution of arbitrary malicious code. We have released updated firmware available to all our users. Some vulnerabilities related to the cloud have been recognised and will be fixed soon."